Method and postal apparatus with a chip card write/read unit for reloading change data by chip card

ABSTRACT

A postal apparatus, particularly a postage meter machine, has a chip card write/read unit for reloading fee schedule change data by chip card. In combination. with a first-time insertion of the chip card, an appertaining controller of the postage meter machine allows a first reloading and—as a result thereof—a writing of data into the chip card. The use data in the chip card are thereby modified in a predetermined way, so that, given a repeated data loading, the chip card supplies usable data only in the same postage meter machine. The use data are stored in a first memory area of the chip card and include the remaining use data and variable data, or a crypto code following the initial use. A protective code, formed after the. initial use for the authorization of the use data is stored in a second memory area of the chip card.

BACKGROUND OF THE INVENTION

1. Field of the Invention

The present invention is directed to a method and to a postal apparatus,particularly a postage meter machine, of the type having a chip cardwrite/read unit for reloading change data by chip card into the postagemeter machine or into a postal scale.

2. Description of the Prior Art

The reloading of postage fee tables into a postage meter machine by chipcard via a chip card write/read unit is already disclosed in U.S. Pat.No. 5,606,508 for postage meter machines and in U.S. Pat. No. 5,710,706for scales. The control unit of the postage meter machine performs amonitoring function with respect to the conditions for data updating andcontrols the reloading.

Modern postage meter machines such as, for example, the thermal transferpostage meter machine disclosed by U.S. Pat. No. 4,746,234 utilize fullyelectronic digital printer devices. It is thus fundamentally possible toprint arbitrary texts and special characters in the postage stampprinting area and to print an arbitrary advertizing slogan or oneallocated to a cost center. For example, the postage meter machine T1000of Francotyp-Postalia AG & Co. (Postalia, Inc. in the U.S.) has amicroprocessor that is surrounded by a secured housing having an openingfor the delivery of a letter. Given delivery of a letter, a mechanicalletter sensor (microswitch) communicates a print request signal to themicroprocessor. The franking imprint contains a previously entered andstored postal information for dispatching the letter.

It is also known to store data specific to cost centers on chip cards inorder to make the user-specific information mobile (portable) and toavoid an intentional misuse of other cost centers. U.S. Pat. Nos.5,606,508 (corresponding to German OS 42 13 278) and 5,490,077 disclosea data entry with chip cards for the aforementioned thermal transferpostage meter machine. One of the chip cards loads new data into the.postage meter machine, and a set of further chip cards allows a settingof correspondingly stored data to be undertaken by plugging in a chipcard. Loading data and setting the postage meter machine are thuspossible in an easier and faster manner than via a keyboard input. Thekeyboard of the postage meter machine remains small and surveyablebecause no additional keys are required in order to load or setadditional functions. A plug-in slot of a chip card write/read unit, inwhich the respective chip card is to be plugged by the customer within atime window, is located on the back side of the postage meter machine.Due to the lack of direct visual contact, an unpracticed user often doesnot always succeed in inserting the required chip cards in immediatesuccession, which then leads to unwanted delays. The plug-in slot of achip card write/read unit is only easily accessible when the user bendsover the machine. The problems in producing visual contact increasegiven larger machines. The user often has a number of other chip cardsthat can be plugged in. One chip card type (size format), for exampletelephone cards, credit cards and the like, can be physically insertedinto the postage meter machine but will not be accepted. Without visualcontact, however, the error is not always immediately obvious. Thepostage meter machine only works with relatively expensive chip cardsthat are themselves equipped with a microprocessor (smart card) and arethus able to check whether the postage meter machine communicates avalid data word to the chip card before an answer is sent to the postagemeter machine. When, however, no answer or user identification ensues,this is registered as an error in the postage meter machine and isdisplayed before a request to remove the chip card is displayed in thedisplay. To register an erroneously inserted telephone card as attemptedfraud, however, would not be reasonable given the not unlikelyoccurrence of an “innocent” mistake.

A modified technique for scales is disclosed in the aforementioned U.S.Pat. No. 5,710,706. The chip card write/read unit of this postage metermachine is employed fro the additional purpose loading new postage feetables into the corresponding non-volatile memories of the scale. Thedifferent fee schedule structure and fee schedules of further mailcarriers also can be loaded. Since the available memory capacity on achip card is limited, all required data are sequentially loaded into thescale via the postage meter machine with a series of chip cards whichare successively inserted.

As an alternate way for solving the further problem that there is onlylimited memory capacity available on a chip card, U.S. Pat. No.4,802,218 discloses that a number of chip cards be simultaneouslyemployed, these being plugged into a number of write/read units. Inaddition to a user chip card for the recrediting and debiting wherebythe postage fee value is subtracted from the credit, a master card and afurther rate chip card with a stored postage fee table aresimultaneously plugged in. By accessing a postage fee table, a postagefee value can be determined according to the input weight and shippingdestination without loading an entire table into the machine. Since,however, a respective write/read unit is required for every chip card,the apparatus becomes too large and expensive. Moreover, a separatereloading terminal is required in order to replenish the credit in theuser chip card, with the master card providing the authorization forthis reloading function. A supervisor card has access to all mastercards. Various security levels are accessible by appertaining key codes.Such a system with a number of slots for chip cards is very complexoverall.

German OS 196 05 015 discloses an embodiment for a printer device(JetMail®) that, given a non-horizontal, approximately vertical lettertransport, implements a franking imprint with an ink jet print headstationarily arranged in a recess behind a guide plate. For recognizingthe start (leading edge) of a letter, a print sensor is arranged shortlybefore the recess for the ink jet print head and collaborates with anincremental sensor. The letter transport is free of slippage due topressure elements arranged on the conveyor belt, and the incrementalsensor signal derived during the transport has a positive influence onthe quality of the print image. Given such a postage meter machineexhibiting larger dimensions, however, a chip card write/read unit wouldhave to be arranged and operated such that sequentially pluggable chipcards can be unproblematically used.

The chip cards are usually initialized by the chip card manufacturer andthe postage meter machine manufacturer, however, it is complicated forthe postage meter machine manufacturer to take specific customer wishesinto consideration. Although information with respect to the postagefees matched to the current fee schedules must be communicated to theindividual user of a postage meter machine, it affects all users ofpostage meter machines. A non-personalized chip card would have theadvantage of being able to be produced on a mass production basis whichcould be implemented on short notice immediately before a fee schedulechange. Given a freely purchasable non-personalized reloading card,however, there is the possibility that users of postage meter machinesmay have received the reloading information from other users withoutadequately compensating the actual service vendor. A universalrequirement to purchase reloading cards cannot be implemented becausesome users would then be required to purchase unneeded information. Thiswould be the case, for example, when only details of the reloadinginformation that are not relevant to all users are modified. Finally, itis also technically unnecessary to replace an entire table only becauseof a few modified details. Moreover, commercially available programmingdevices exist with which a new chip for a chip card can be burned-in. Afinal consideration is that a data bank with expensive data banksecurity would only be required to prevent a misuse, and thus may not beneeded when the risk of misuse or the incentive to tamper is low.

For some specific chip card applications, there is far less of asecurity risk for the protection or devaluation (theft) of the monetarydata present on the chip card. Thus, an estimate of the tamperingpotential or of the tamperer categories is fundamentally required forevery application in order to achieve the desired security level withmeasures that are reasonable in terms of outlay. The axiom “as much asnecessary, as little as possible” thereby applies. A registered. postagemeter machine use number would too obviously divulge the user identifierto an attacker. A certain deterrence threshold for theft by copying musttherefore be present.

Often, chip cards have only a highly limited memory capacity. This isespecially true of inexpensive chip cards. Thus, memory cards areusually implemented with a few hundred bits of memory capacity. Thismemory capacity is insufficient for accepting the full scope offee-specific data. There are numerous security methods based partly onaccess-protected physical areas of the chip cards and partly ondifferent cryptographic protection algorithms. A disadvantage of thesemethods is that a high initialization outlay must be expended, forexample for the individualization of the cards by assigning PINs or forcode administration given cryptographic methods. Known security methodsare unsuitable insofar as they require a great deal of additional memorycapacity on the chip card. Deleting the data on the chip card aftertheir one-time use in fact requires no additional memory capacity on thechip card but must still remain out of consideration because the methodwould preclude a repeated use of the reloading card at the same postagemeter machine. A repeated use of the reloading card at the same postagemeter machine is required for recovery in case of error if theappertaining data have been lost in the postage meter machine and mustbe restored. A repeated use of the reloading card at the same postagemeter machine also can be required as needed for the purpose ofpre-dating mail, particularly when a change in fee schedule takes effectin the time span between normally dated mail and pre-dated mail. In thepre-dating to a future date of mail to be carried by a selected mailcarrier, mail is already franked in bulk several weeks or days beforethe shipment and is warehoused until the shipment date. A correspondingcarrier-related chip card loads carrier-related reloading data into thepostage meter machine. After the end of the one franking job, a newfranking job is to be processed. To this end, another carrier-relatedchip card can load carrier-related reloading data into the postage metermachine. Since the postage meter machine cannot load and store all datafor all carriers, a repeated use of the reloading card is required inorder to implement pre-dated mail processing in alternation.

SUMMARY OF THE INVENTION

An object of the present invention is to provide a fraud-proof methodand postage meter machine with a chip card write/read unit for reloadingfee schedule change data into a postage meter machine or into a scale bychip card. The method and machine should allow an easily accessible chipcard write/read unit and an appertaining controller to be utilized and aset of unpersonalized chip cards should be made available to the user,these allowing a reloading of information for the implementation ofpostage meter machine functions, or their combined application, as oftenas necessary. On the other hand, a protection against multiple use ofone and the same chip card in other postage meter machines when the usedchip card is handed over should be created.

The above object is achieved in accordance with the invention in amethod and machine wherein, before the utilization of the data stored ona first chip card, a postal apparatus, particularly a postage metermachine, modifies this data with the assistance of a specificcrypto-algorithm and a suitable, device-specific, first key, such thatthe data can only be decrypted with the assistance of this key. The usedata are stored in a first memory area of the aforementioned chip cardand include the remaining use data and variable data, or a crypto codeafter the initial use. A repeatedly used chip card only supplies usabledata for the same device that implemented the personalization of theunpersonalized chip card when it was inserted for the first time.

In the case of a renewed data loading from the first chip card into thepostal apparatus an additional inscription of data modified in apredetermined way in the postal apparatus into the chip card isimplemented as a result of the reloading.

Additionally, given a repeated use of the first chip card, the modifieddata differ dependent on the number of uses, so that a renewed dataloading into the postal apparatus and an additional inscription of datamodified in another predetermined way in the postal apparatus ensue intothe chip card. The modification only affects the form of the data andtheir storage in memory locations, however, it has no effect on thecontent of the information that can be reloaded at any time. The postalapparatus can reconstruct the original information independently of theencrypted or unencrypted form. The nature of the modification ispredetermined by the stored program. A reversible encryption algorithmsuch as, for example, DES (Data Encryption Standard) is preferablyemployed.

Alternatively, data segments or at least functions derived from the dataor data segments, can be modified in a predetermined way in order tothen rewrite these segments or functions in a memory area as code.

The writing of a code based on initial data into the chip card, givenrepeated insertion thereof, can be additionally employed for the purposeof verifying the authenticity of the chip cards before the chip carddata are used again internally in the postage meter machine. A code isstored in a second memory area of the chip card for the authorization ofthe use data, or a different code is stored after the initial use. Asecond key is stored in the chip card in hidden form. An identicalsecond key is likewise stored in a manner so as to be protected againstunauthorized reading in all postage meter machines. For example, thesecond key can be scrambled or functionally operated with the datachecksum in a predetermined way, so that the key is also given adifferent appearance with every new fee schedule table. A third key thathas a predetermined relationship to the second key exists in everypostage meter machine.

This second key—similar to a recursive method—is inventively co-encodedby the third key, resulting in the execution of a check routine forauthenticity in a protected (postage meter machine) device environmentwithout having the second key leave the postage meter machine during theprocedure or having its secrecy compromised. After the decoding of thedata or data parts or data functions, the verification of the dataauthenticity now ensues internally in the device at least on the basisof the check of a predetermined relationship between the secret secondkey of the chip card and the third key of the postage meter machine.Additionally, the checksum formed over the unencoded chip card data canbe utilized for the authenticity check in a form modified in apredetermined way with the second key. This requires an interleavedcheck of mutually dependent data that have a predetermined relationshipto one another. After use of the chip card, the data inventively remainin a form modified by the first postage meter machine—specific key,which precludes a meaningful use of the data given an attempt to thechip card at a different postage meter machine, as well as leading toblocking of the chip card, or of the postage meter machine, when theattempt is made.

In particular, the invention creates a chip card/postage meter machinesystem, so that an automatic reloading of a postage meter machine can beachieved after the insertion of a reload chip card—recognizable withrespect to its type—into a chip card write/read unit without having thesame chip card likewise produce a reloading after being inserted into achip card write/read unit of another postage meter machine. The cryptocode is calculated in the postage meter machine and written into thechip card, so that the chip card supplies usable data only for the samepostage meter machine. Also a MAC protection technique is utilized thatrequires little memory capacity on the chip card and nonetheless allowsa machine-check of the authenticity of the chip card data.

The chip card/postage meter machine system can be arbitrarily expandedor modified. A different inserted chip card type can be recognized bythe postage meter machine and correspondingly interpreted. The postagemeter machine thus can be operated with an optimally inexpensive chipcard type dependent on the nature of a particular application.

Arranging the chip card write/read unit behind the guide plate of thepostage meter machine allows easy access thereto. The chip card can beseen well during the insertion, and the type of chip card being insertedat the moment thus also can be easily determined on the basis of acorresponding identification.

For a data update among all the postage meter machine users, a deliveryof unpersonalized chip cards with identical content to the respectiveusers can ensue as a massed-produced product, it being incumbent uponthe supplier to undertake measures for the protection of the originalchip cards against unallowed copying until the first reloading. Acertain deterrence threshold for theft by copying is also achieved byusing a specific, particularly rarer card type that is thus moredifficult to acquire. Second, however, it is assured that, following theinitial use of the card by a postage meter machine, this card can onlybe used at this specific apparatus and that a data use at other postagemeter machines is no longer possible. A necessity to surrender the datacontent of a chip card already used once for reloading for multiple useat other postage meter machines thus is avoided.

DESCRIPTION OF THE DRAWINGS

FIG. 1a illustrates details of the memory areas of the unpersonalizedchip card in accordance with the invention.

FIG. 1b shows a set of chip cards of a different type used in accordancewith the invention.

FIG. 2 is a block circuit diagram of a postage meter machine constructedand operating in accordance with the invention.

FIG. 3 is a perspective view of a postage meter machine from behind inaccordance with the invention.

FIG. 4a is an illustration of the data structure before the initialreloading in accordance with the invention.

FIG. 4b is an illustration of the data structure after the initialreloading in accordance with the invention.

FIGS. 5a and 5 b are a flowchart for control by the microprocessorduring data reloading with a chip card in accordance with the invention.

DESCRIPTION OF THE PREFERRED EMBODIMENTS

FIG. 1a shows a chip card 49 with a contact field. As is known, thememories are located under the contact field of the chip, the memoryareas thereof being divided into unprotected and protected areas. Theuse data are stored in the unprotected area and a messageauthentification code MAC is stored in the protected area. This chipcard 49 belongs to the type b. Further chip cards that belong to othertypes are provided for the utilization in the postal apparatus,particularly in a postage meter machine. The postage meter machine istherefore equipped with a corresponding chip card write/read unit for anumber of types.

The method for reloading change data into a postage meter machine bychip card begins with an initial insertion of a first chip card 49 intoa chip card write/read unit, automatic type recognition and reloading ofuse data from the first chip card 49 into the postage meter machine. Amodification of data from the loaded use data ensues in a predeterminedway in the postage meter machine. As a result of the first reloading,data modified in a predetermined way in the postage meter machine arewritten into the chip card 49. Upon insertion of a second chip card 47into the chip card write/read unit, a reloading of data from the secondchip card 47 into the postage meter machine likewise ensues afterautomatic type recognition. Data are thereby partially overwritten ordeleted. This has the following background: The postal authority canprovide the broad spectrum of services itself or commissionsub-contractors or private mail carriers to undertake a handling ofmail, for example courier mail. The mail pick-up and/or the expressdelivery thereof is then carried out by the sub-contractor who,consequently, also demands payment according his own fee schedules forthis special service. Given reloading of the mail carrier identifier andof the corresponding postage fees of the subcontractor or private mailcarrier, the mailings can then continue to be franked with postage metermachines.

For all other mail carrier services, the first chip card 49 contains thepostage fees corresponding to the fee schedule of the postal authorityand a mail carrier identifier. Upon subsequent, repeated insertion ofthe first chip card 49, an automatic type recognition and a data loadingfrom the chip card 49 into the postage meter machine ensue. Thereloading relates to the charges according to the valid fee schedule forthis specific service on the part of the mail carrier and relates todata or the number of the mail carrier identifier. The original datathus can be reconstructed in order to subsequently frank the mail withthe postage meter machine with the stamp format and according to the feeschedule of the postal authority as in the beginning. Such mail cancontinue to be taken to any post office. A subsequent write-in of datamodified in a predetermined way in the postage meter machine into thechip card is again provided in this later, repeated insertion, the chipcard 49 consequently continuing to supply usable data only for the samepostage meter machine.

At least one application of possible operating functions of a postagemeter machine is provided for every chip card type, and themicroprocessor is programmed to distinguish the application type basedon the chip card type.

A hierarchic structure that—as shown in FIG. 1b—can be arbitrarilyexpanded and modified by the postage meter machine user proceeding froma first chip card exists for a number of type a chip cards. The firstchip card 50 is at the highest hierarchy level and is referred to belowas the master card. The second chip cards referenced 51 in the group areat the first hierarchy level, the further chip cards referenced 52 inthe group are at the second hierarchy level, the following chip cardsreferenced 53 in the group are at the third hierarchy level, etc. Cardsfrom these groups of chip cards for which the function applicationauthorization is stored tabularly level-by-level, limited in selectablefashion, are also referred to as successor cards. The cards of thelowest hierarchy level are the most limited in function applicationscope. Each card contains a consecutive number for which functionapplication programs are stored in the postage meter machine, theallocation being freely programmable for (or by) the authorized user.The protection of the cards against readout of the consecutive number ispossible in a known way by PIN or other security algorithms. Given lossof the master card, a replacement is only possible via a communicationwith the postage meter machine manufacturer, with correspondingdocumentation as to the authenticity being supplied by the requestor.The inhibiting or enabling of all other cards is possible with themaster card. A further security factor in the initialization of thesystem with the assistance of the master card is achieved because onlyphysically present cards can be initialized. As a result, the secret,consecutive numbers of the cards are protected. An inhibit of thecorresponding memory area of the postage meter machine can ensue when asuccessor card is lost.

Type b chip cards serve for reloading table data, particularly feeschedule change data. One chip card 49 can contain the currently validversion and one chip card 48 can contain predetermined change data for aversion of a postage fee table valid in the future. The version valid inthe future can be required when franking mail for producing pre-datedmail. Subsequently, the change with the chip card 48 can be reversed byloading with the chip card 49. Advantageously, thus, the memory capacityin the postage meter machine for postage fee tables need not be expandedbut can remain limited to an optimum size. This is especiallyadvantageous for a multi-carrier postage meter machine that should havethe fee schedules of a number of mail carriers available, or take theminto consideration. Further chip cards 47 are provided for this purposewith data corresponding to the other fee structure of other mailcarriers, etc., for carrier-related reloading of fee schedule changedata.

Inventively, the postal apparatus, particularly a postage meter machine,is equipped with a chip card write/read unit 70 for reloading changedata by chip card and with a printer 20 that is controlled by a controlsystem 1.

A first chip card 49, inserted into a plug-in slot 72 of the chip cardwrite/read unit 70, allows a reloading of a dataset CK into the postagemeter machine for at least one application. The control system 1includes a control device 90 equipped with memories 92, 93, 94, 95. Theprogram memory 92 contains the operating program and at leastsecurity-relevant component parts of the program for the predeterminedform change of a part of the use data. The main memory RAM 93 serves forvolatile intermediate storage of intermediate results. The clock/datamodule 95 likewise contains addressable but non-volatile memory areasfor intermediate storage of intermediate results or known program partsas well (for example, for the DES algorithm and thus is referred tobelow as one of the non-volatile memories). It is provided that thecontrol device 90 of the postage meter machine is connected to the chipcard write/read unit 70, whereby the microprocessor 91 of the controldevice 90 is programmed

a) to access first and second memory areas C1 and C2 of the non-volatilememories 94, 95 of the control device 90 in which the dataset CK loadedfrom the chip card and the dataset CK′ to be newly loaded into the chipcard are stored;

b) to apply a specific calculating operation or mask to the use data Ncontained in the loaded dataset CK in order to undertake a data removalfrom the memory area C1 with separation of the predetermined use data N′from the remaining use data N*;

c) to access the memory areas C3 and C4 of the non-volatile memory 94,95 of the control device in which at least a first key K1 and anencryption algorithm are stored in a manner protected against anunauthorized readout;

d) to encrypt the predetermined use data N′ with the first key K1 toform a crypto code KC and to store it in the second memory area C2, andto form the new dataset CK′ using the remaining use data N*;

e) to load the new dataset CK′ that is formed into the chip card; and

f) to load the use data N from the memory area C1 for their applicationin corresponding memory areas.

The microprocessor is programmed to distinguish the applications basedon the chip card type, with at least one application of possibleoperating functions of a postage meter machine being provided for eachchip card type. In an expanded embodiment, the microprocessor isprogrammed for reloading and modifying data N′ from the loaded use dataN and for checking the authorization of the use data, with the use databeing stored in a first memory area CC1 of the chip card and containingthe remaining use data N* and variable data N′ or a crypto code KC afterthe initial use. Also in this expanded embodiment a code MAC2, oranother code MAC1, after the initial use is stored in a second memoryarea CC2 of the chip card for authorization of the use data. To thatend, a third key K3 and an encryption algorithm are stored in the memoryareas C3 and C4 of the non-volatile memory 94, 95 of the control device90 in manner protected against unauthorized readout. The crypto code KCis calculated in the postage meter machine and written into the chipcard, so that the chip card supplies usable data only for the samepostage meter machine.

FIG. 2 shows a block circuit diagram for setting the function of thepostage meter machine and for driving the printer 20 with a chip cardwrite/read unit 70 and with a control system 1 of the postage metermachine. The control system 1 forms the actual meter and includes afirst control device 90, a keyboard 88 and a display unit 89 as well asa first and a second application-specific circuits (ASIC) 87 and 97. Thefirst control device 90 contains a first microprocessor 91 and knownmemories 92, 93, 94 as well as a clock/date circuit 95. Areas forstoring accounting data that are allocated to the cost centers areprovided in the non-volatile memory 94.

Together with a second microprocessor 85 and a non-volatile memory 84,the first ASIC 87 forms a postal security module PSM 86. The postalsecurity module PSM 86 is enclosed in a physically secured housing andhas a fast serial interface to the printer control 16. A hardware-baseddebiting in the first ASIC 87 ensues before every franking imprint. Thedebiting ensues independently of cost centers. The second microprocessor85 contains an integrated read-only memory int.ROM (not shown) with thespecific application program that is approved for the postage metermachine by the postal authority, or the respective mail carrier. Thepostal security module PSM 86 can be implemented as disclosed in greaterdetail in European Application 789 333.

Both ASICs 87 and 97 are connected via the parallel μC bus to at leastthe control device 90 and the display unit 89. The first microprocessor91 preferably has terminals for the keyboard 88, a serial interface SI-1for the connection of the chip card write/read unit 70 and a serialinterface SI-2 for the optional connection of a modem. The credit storedin the non-volatile memory 84 of the postal security module PSM 86 canbe increased with the modem.

The second ASIC 97 has a serial interface circuit 98 to a precedingdevice 13 in the mail stream, a serial interface circuit 96 to theprinter device 20 and a serial interface circuit 99 to a device 18following the printer device 20 in the mail stream.

A suitable peripheral device embodying such interfaces is described inGerman Application 197 11 997.2 (as yet unpublished), corresponding topending U.S. application Ser. No. 09/041,469 filed Mar. 12, 1998(“Arrangement for Communication Between Stations of a Mail ProcessingMachine,” Kunde et al.) assigned to the same assignee as the presentapplication.

The interface circuit 96 coupled with the interface circuit 14 locatedin the machine base produces at least one connection to the sensors 6,7, 17 and to the actuators, for example to the drive motor 15 for thedrum 11 and to a cleaning and sealing station RDS for the ink jet printhead 4, as well as to the ink jet print head 4 of the machine base.

Further details of the interaction between the print head 4 and thecleaning and sealing station RDS are disclosed in German Application 19726 642.8 (not yet published, corresponding to pending U.S. applicationSer. No. 09/099,473, filed Jun. 18, 1998 (“Device for Positioning an InkJet Print Head and a Cleaning and Sealing Device,” von Inten et al.)assigned to the same assignee as the present application.

One of the sensors 7, 17 arranged in the guide plate 2 is the sensor 17and serves the purpose of preparing the print initiation during lettertransport. The sensor 7 serves for recognizing the start of the letterfor the purpose of print initiation during letter transport. Theconveyor arrangement is composed of a conveyor belt 10 and two rollers11, 11′. One of the rollers is the drive roller 11, connected to the amotor 15, another is the entrained tension roller 11′. The drive roller11 is preferably a toothed roller; accordingly, the conveyor belt 10 isa toothed belt, assuring a positive force transmission. An encoder iscoupled to one of the rollers 11, 11′. The drive roller 11 together withan incremental sensor 5 is preferably firmly seated on a shaft. Theincremental sensor 5 is implemented, for example, as a slotted disk thatinteracts with a light barrier 6, forming the encoder.

The individual print elements of the print head 4 are connected withinits housing to print head electronics, and the print head can be drivenfor a purely electronic printing. The print control ensues on the basisof the path control, with the selected stamp offset being taken intoconsideration, this being entered by keyboard 88 or, as needed, by achip card and being non-volatilely stored in the memory NVM 94. Aplanned imprint thus derives from the stamp offset (without printing),the franking imprint image and, possibly, further print images foradvertizing slogan, dispatching information (selective imprints) andadditional, editable messages.

The chip card write/read unit 70 is composed of a mechanical carrier forthe microprocessor card and a contacting arrangement 74. The latterallows a reliable mechanical holding of the chip card in the readposition and unambiguous signaling of when the read position of the chipcard in the contacting arrangement 74 is reached, for example a tactilesignal by a pressure point according to the push/push principle, aneject key or a display beeper message of the postage meter machine. Areliable electrical contacting of chip cards with contacts according toISO 7816 for at least 100,000 contacting cycles, as well as easyutilization when plugging and pulling the chip card are thus achieved.The microprocessor card with the microprocessor 75 has a programmed-inread capability for all types of memory cards, as well as for chip cardswith and without PIN coding. An encryption or deciphering for securityalgorithms (for example, RSA, DES) is not required. The interface to thepostage meter machine is a serial interface according to RS232 standard.The data transmission rate amounts to a minimum of 1.2 Baud. A self-testfunction with ready message can be manually implemented or can beautomatically implemented after turning on the power supply with switch71.

FIG. 3 shows a perspective view of the postage meter machine frombehind. The postage meter machine is equipped with a chip cardwrite/read unit 70 that is arranged behind the guide plate 2 and isaccessible from the upper housing edge 22. After the postage metermachine is turned on with the switch 71, a chip card 50 is plugged fromtop to bottom into the insertion slot 72 and can be programmed by theuser for specific applications. Within the limits prescribed by themanufacturers, this ensues with the user interface 88, 89 of the controlsystem 1 of the meter. The successor cards are configured by the userfor predetermined function applications for the respective postage metermachine. The peripheral devices of the postage meter machine can beelectrically connected to the interfaces 98 and 99 and thus can bedriven by the meter according to the chip card input. A letter 3supplied standing on edge that has its surface to be printed lyingagainst the guide plate is then printed with a franking stamp 31according to the input data. The letter delivery opening is laterallylimited by a transparent plate 21 and the guide plate 2.

A predetermined cost center is set with the insertion of a first chipcard 50 that was supplied together with the postage meter machine. Forexample, the cost center 1 is pre-set, the accounting ensuing withrespect thereto in order to gain access to other cost centers when noother predetermined inputs are actuated by keyboard.

The postage meter machine contains a corresponding application programin its program memory 92, so that a first chip card 50 plugged into thechip card write/read unit 70 allows a setting of the postage metermachine for at least one function application on the highest hierarchylevel. Such a type a chip card having only a small memory capacity isinexpensive. According to ISO 7816, a memory card having 256 bytes suchas, for example, OMC240SF of the Orga Company can be used.

Another chip card having significant memory capacity is referred tobelow as type b. For example, an I²CBus memory card having 32 Kbytesaccording to ISO 7816, particularly AM2C256 of the AMMI company, can beemployed. This contains a chip AT24C256 of the Atmel company.

Further chip cards are referred to below as type n. For example, a chipcard with 8 Kbytes and having a microprocessor can be employed. Thefurther chip cards of the types b through n relate, for example, to thefollowing function applications:

reload possibility of the postage fee tables via chip card 49,

slogan reloading via chip cards (daily stamp),

chip cards with limited function application,

chip cards with PIN authorization of functions,

chip cards for setting peripheral device function,

chip cards for setting system configuration,

chip cards for the activation of programmed print formats.

FIG. 4a is an illustration of the data structure in the status A of thedata storing in the memory areas CC1 and CC2 of the chip card before theinitial reloading. The use data N stored in the unprotected areapreferably relate to a fee schedule table. A part of the use data alwaysremains unencrypted. These data are referred to below as remaining usedata N*. Another part N′ of the use data is unencrypted only before theinitial reloading. This part is subsequently replaced, for example, byencoded data or by a crypto code KC, so that a status B according toFIG. 4b derives in view of the data structure. The data in the memoryarea CC1 of the chip card are thereby modified in a predetermined way bywriting a new dataset CK′ into the chip card. The new dataset CK′ nowincludes a crypto code KC in the memory area CC1 of the chip card. Atevery repeated data loading, thus, the chip card only supplies usabledata when it is inserted into the write/read unit of the same postagemeter machine.

A message authentification code MAC2 is stored in the protected memoryarea CC2 of the chip card and contains a data part encrypted with asecond key K2. The latter includes the CRC checksum of selected use dataN′ and the code of the second key K2, whereby CRC checksum of theselected use data N′ and the message authentification code MAC2 areoperated in a predetermined way with a suitable calculating operationthat is symbolized by the semicolon. The data from the chip card memoryareas CC1 and CC2 of the chip card 49 inserted into the plug-in slot 72that are compiled into a dataset CK are loaded and processed, this beingexplained in greater detail with reference to FIGS. 5a and 5 b.

The status B of the data storing of a new dataset CK′ in the chip cardshown in FIG. 4b relates to a data structure newly loaded into the chipcard after the initial reloading, this being stored in the previous chipcard memory areas CC1, CC2. The remaining use data N* that are stored inthe first area CC1 preferably relate to parts of a fee schedule table.Data parts which are inserted scrambled are added thereto. In thescrambling, the data parts encrypted with a first key K1 to form acrypto code KC are hidden between the remaining use data. They arethus-distributed on the chip card memory area CC1. A new messageauthentification code MAC1 is stored in the protected are CC2. This isformed by encryption of the previously stored message authentificationcode MAC2. The encryption ensues with the first key K1 in the postagemeter machine before the loading and storage in the chip card.

FIG. 5a shows a portion of a flowchart for control by the microprocessorof the postage meter machine in the data reloading with a chip card.

After a power supply (not shown) of the postage meter machine is turnedon with the switch 71, which is registered by the microprocessor 91 ofthe postage meter machine in the step 100, a microprocessor 75 connectedto a contacting arrangement 74 of the chip card write/read unit 70signals the microprocessor 91 of the postage meter machine when a chipcard is inserted into the plug-in slot 72, which is registered by themicroprocessor 91 of the postage meter machine in the step 101. Acommunication according to a predetermined protocol between the chipcard write/read unit 70 and the chip card and an evaluation in step 102then ensues as to determine whether the chip card is readable as type a.When this is the case, a branch is made from the inquiry step 103 to astep 111 in order to load a part I of the identifier string into thenon-volatile memory 94 of the postage meter machine, with an evaluationof the company identification number (company ID) being undertaken bythe microprocessor 91 of the postage meter machine. If, however, thechip card is not readable as type a, a branch is made from the inquirystep 103 to a step 104 in order to undertake a communication accordingto a second predetermined protocol and an evaluation in step 104 as towhether the chip card is readable as type b. When the chip card isreadable as type b, a branch is made from the inquiry step 105 to a step106 for further data processing with the microprocessor 91 of thepostage meter machine. In a comparable way as warranted, furtherprotocols are executed (steps 107, not shown in detail) to determine inthe inquiry step 108 whether the chip card is readable as type n, inorder to then branch to a corresponding step 109 for further dataprocessing by the microprocessor 91 of the postage meter machine.Otherwise, when the type of the chip card is not recognized, a branchback to the step 101 ensues after an error message in the step 110.

A better adaptation to the respective application results compared toprior art techniques. By contrast, the solution according to U.S. Pat.No. 5,606,508 (German OS 42 13 278) or U.S. Pat. No. 5,490,077 does notaccommodate cards of different types, i.e. the chip cards are alltechnologically and functionally the same and a time window for theinsertion of a chip card is an invariable, fixed time period. In U.S.Pat. Nos. 5,606,508 and 5,490,077 (in the latter, the sequence is fixedand a chip card A for loading postage fee tables must be plugged inbefore a chip card B that, for example, sets a cost center), theinventive sequence for the sequential plugging of a series of chipscards internally initialized in the postage meter machine is arbitrary.

The inventive flowchart according to FIG. 5a thus allows the postagemeter machine to make a distinction according to different chip cardtypes. An expensive chip card type thus has to be utilized only in thoseinstances where there is no alternative. Advantageously, a suitable chipcard type is selected according to the type of application.

When the data processing by the microprocessor 91 of the postage metermachine is implemented in a manner predetermined by the chip card type,monitorings are undertaken according to specific criteria and any errorsare displayed (steps 122-124, 128-130, 154) before further use of thepostage meter machine is suppressed (step 131).

A type b chip card is utilized when a branch is made from the inquirystep 105 to a step 106. This is provided in order to load the dataset CKstored in the chip card 49 into a first memory area C1 of thenon-volatile memory 94 of the postage meter machine. The dataset CK canbe represented as follows:

CK:=N; MAC2  (1)

The unencrypted part of the dataset CK contains the new use data N to beloaded. The encrypted part of the dataset CK is a messageauthentification code MAC2 that is likewise loaded into the postagemeter machine. The semicolon between the two in the above Equation (1)corresponds to a specific operation. Only in the simplest case are thetwo parts appended to one another. For example, a postage meter machinethat is surrounded by a protective housing has a third code K3 stored inthe memory area C3 of the non-volatile memory 94, this third code K3being capable of deciphering the message authentification code. Theencryption algorithm can be stored in a further memory area C4 of thenon-volatile memory 94 of the protected postage meter machine. The thirdkey K3 and the encryption algorithm can be stored protected againstunauthorized reading. The microprocessor 91 is preferably an OTP(one-time programmable) type.

In an especially secure embodiment, the first and third keys K1, K3 andthe encryption algorithm are stored in the non-volatile memory 84 of thepostal security module PSM 86. The required computational operationssuch as encryption and deciphering are undertaken by the microprocessor85 in the postal security module PSM. This can likewise be an OTP(one-time programmable) type. The algorithm and the keys can be storedread-protected in the internal OTP read-only memory.

The further executive sequence is shown in FIG. 5b. In a first step 141,a counter is reset Z:=0. The counter is a separate circular countermodule or is realized in memory cells of, preferably, the clock/datemodule 95, whereby the memory cells are correspondingly logicallyoperated with one another and are programmable.

In the second step 142, the use data N are taken from the first memoryarea CC1 and an encrypted dataset part is taken from the second memoryarea CC2 of the chip card memory. A corresponding program in theread-only memory 92 controls the data loading. and the following,further computational operations. The status A of the storing of data ina chip card is only present before the first reloading of data into thepostage meter machine. The use data include remaining use data N* andspecific use data N′ according to Equation (2):

N:=N*;N′  (2)

The specific use data N′ selected by the microprocessor according to theprogram are encrypted (3) with a first key K1 to form the crypto codeKC:

K 1[N′]=KC  (3)

The encrypted dataset part MAC2 is preferably a data part M2 encryptedwith a second key K2 and is written as in (4):

MAC 2:=K 2[M 2]=K 2[K 2; CRC(N′)]  (4)

The encrypted dataset part MAC2 is likewise encrypted (5) with the firstkey K1 to form a MAC1:

K 1[MAC 2]=MAC 1  (5)

In the second step 142, finally, the use data N and dataset partsencrypted according to Equation (4) and (5) are copied from the memoryarea C1 into a memory area C2 of the non-volatile memory 94.

In the third step 143, the counter reading of the round counter isincremented to Z:=Z+1.

In the fourth step 144, a decryption attempt is undertaken with thethird key K3 stored in the postage meter machine in the framework of areversible encryption process. To that end, the dataset part MAC2 istaken from the memory area C1, this having been previously loaded fromthe second chip card memory area. According to status A, this datasetpart MAC2 is encrypted with the second key K2. With a reversible, thirdkey K3, the encrypted dataset part MAC2 can be deciphered into thedeciphered data part M2. The decrypted dataset part is intermediatelystored in the main memory RAM. Given a reversible encryption algorithm,the second key K2 can be identical to the third key K3. Preferably, asecret intermediate result is intermediately stored read-protected inthe internal OTP main memory RAM. Thus,

M2:=K2;CRC(N′)  (6)

arises (3) for the decrypted data part M2. The latter includes the CRCchecksum of specifically selected use data N′ and the code of the secondkey K2. The semicolon between the two stands for a specific calculatingoperation for the operation of the two. The microprocessor 91 or 85 isprogrammed for the implementation of this calculating operation and forthe implementation of a corresponding inverse calculating operation.

The unencrypted part of the stored dataset CK in the memory area C1 ofthe non-volatile memory 94 of the postage meter machine is accessed inthe fifth step 145. Predetermined, specific. use data N′ are therebyselected with a mask or with the corresponding calculating rule and theselected use data N′ are subsequently processed to a CRC checksum.

In the sixth step 146, the checksum CRC(N′) is then separated from thedata part M2 with the corresponding inverse calculating operation. Forexample, the calculated checksum CRC(N′) can be subtracted from the datapart M2 for the separating when the second key K2 and the originalchecksum CRC(N′) were additively operated (7) in the data part M2:

M 2−CRC(N′)=K {K 2+CRC(N′)}−CRC(N′)=K  (7)

In the seventh step 147, the remainder K is compared to the third key K3stored internally in the postage meter machine. It can thereby bedetermined whether the two keys have a predetermined relationship to oneanother. A check for equality (8) is only carried out in the simplestcase:

K 3=K ?  (8)

When a predetermined relationship is found, i.e. the remainder in theabove case is identical to the second key K2 and equal to the key K3stored internally in the postage meter machine, a branch is made viastep 150 to the step 151 in order to form a new dataset CK′. A chip cardwith data in status A (FIG. 4a) was thus already capable of beingrecognized in the seventh step 147 in the first loop.

Otherwise, a check is carried out in the eighth step 148 to determinewhether the counter reading of the counter has already reached the valuetwo. This is not yet the case in the first loop. In order to conduct asecond loop, a branch is made back to the aforementioned second step 142via a ninth step 149 in which the memory content of the memory area C1is changed. As a result of the change of the memory content, a datastatus is reached in the memory area C1 as though a data structureaccording to the status A—shown in FIG. 4a—had existed in the datastorage and, thus, as though the first loop were about to begin.

If, however, a predetermined relationship for a valid chip card insertedfor the first time is already found in the first loop, then the secondinternal memory area C2 is accessed in the step 150 in order to form thenew dataset CK′.

CK′:=N*;KC; MAC 1  (9)

is valid (9) for the new dataset CK′.

This dataset CK′ then can be loaded into the chip card in the step 151,i.e. can be non-volatilely stored in the internal chip card memory and,at the same time, represents the status B according to FIG. 4b. In thestep 152, the use data N from the first internal memory area C1 aretransferred into the main memory corresponding to the respectiveapplication or are transferred into another non-volatile memory of thepostage meter machine. Subsequently, the message indicating thesuccessful updating is produced in the step 153, for example in the formof a display or signaled by a beeper.

The status B shown in FIG. 4b is present in every further reloading.

The unencrypted part of the dataset CK′ contains remaining use data N*,i.e. the new use data N without the predetermined use data N′. Theremaining use data N* are supplemented by encrypted use data of thecrypto code KC and are then stored together in the memory area CC1 ofthe chip card 49. The encrypted use data of the crypto code KC areinserted scrambled in a specific way into the remaining use data. Aspecific calculating operation or mask is employed therefor. Thespecific calculating operation is again symbolized by a semicolon in thenew dataset CK′ and, for example, is implemented such that a scrambleddata part arises. The remaining use data N* in the new dataset CK′ arein fact necessary but not adequate for a franking according to validpostage fee schedules.

At the next insertion of the card, a scrambled data part thus must beunscrambled in order to obtain the crypto code KC. The unencrypted,predetermined use data can then be recovered from the latter bydecryption. The predetermined use data N′ recovered by decryption of thecrypto code KC using the first key K1 can now be stored in the postagemeter machine and correspondingly employed.

The encrypted part of the new dataset CK′ contains. a further messageauthentification code MAC1. The latter is stored in the memory area CC2after the first use of the card. In conjunction with the reading of thecircular counter and with the authenticity check, the chip card can alsobe checked with this message authentification code for a presence of thestatus A or B.

Given an inserted chip card with a dataset according to status B, thefollowing calculating operations are implemented in the first pass. Inthe second step 142:

K 1[KC]=N′  (10)

K 1[MAC 1]=MAC 2  (11)

with storage in the memory area C2. After the incrementation of thecircular counter in the third step 144, the following calculatingoperations are implemented; in the fourth step 144:

 K 3[MAC 1]=M 1  (12)

In the fifth and sixth step 145 and 146:

M 1−CRC(CK)=K  (13)

Since no predetermined relationship to K3 was determined in the seventhstep 147, the data N*, N′, MAC2 stored in the memory area C2 are copiedinto the memory area C1 in the ninth step for a second loop. For thesecond loop, thus, data equivalent to status A are present, and thefollowing calculating operations are implemented. In the second step142:

K 1[N′]=KC  (14)

K 1[MAC 2]=MAC 1  (15)

with storage in the memory area C2. Deriving in the fourth step due toEquation (6) and K3 reversible to K2 is:

K 3[MAC 2]=M 2  (16)

In the fifth and sixth step 145 and 146:

M 2−CRC(N′)=K  (17).

In the seventh step 147, a predetermined relationship of the value k toK3 is then found. In a simplified embodiment, the equality of the keysK2=K3 is provided; K=K2=K3 then applies. The authenticity can thus onlybe checked in the second round after a conversion of the MAC1 into aMAC2 that ensued in the first round. If the authenticity is not foundeven after running the second loop, i.e. in the seventh step 147 again,and the circular counter has reached a counter reading=2, then the chipcard is declared invalid, and an error message, “invalid card”, ensuesin the step 154. Thus the authenticity or non-authenticity of the usedata can be ultimately determined after running two loops. Given astatus B in the chip card, thus, the second loop is required in order tobe able to form, first, the code MAC1 in the step 142 and then to formthe new dataset CK′ in the step 150, in order to be able to load thelatter into the chip card in the step 151, as well as to use thepredetermined use data N′ decrypted from the crypto code KC in the firstround in the step 142 and stored in the first memory area C1 in the step149, namely to use the use data N′ in conjunction with the remaining usedata N* (step 152). In a further embodiment, the data of the dataset CK′can differ from one another dependent on the number of uses when analtered code is used for the first key. Further steps that attempt adecryption of the crypto code, or authentification with the assistanceof a different code, are then implemented before an error message in thestep 154.

The non-volatilely stored use data of the postage meter machine can beupdated with the new use data N of the chip card 49. After theirtransfer from the memory area C1 in the step 152, the latter can bestored in at least one of the further memory areas Cn of thenon-volatile memory 94 of the postage meter machine and be present therefor further processing. The stamp image can thereby be modifiedcarrier-specific with that part of the loaded use data N identifying themail carrier, and the postage fee tables can be entirely or partlyupdated with the fee schedule part of the loaded use data N.

The non-volatilely stored use data of a scale can likewise be updatedwith the fee schedule part of the new use data n of the chip card 47, 48or 49 under the guidance of the control system of the postage metermachine, as was fundamentally disclosed in European Application 724 141(corresponding to U.S. Pat. No. 5,710,706). The device 13 (FIG. 2)preceding the postage meter machine in the mail stream is apostage-calculating scale in this case. The latter contains anintegrated postage computer with non-volatile memories for updatablestoring of multi-carrier postage fee tables. The updating is then acomponent of the step 152 for transfer of the use data that is shown inFIG. 5b. The microprocessor is programmed to load the fee schedule partof the use data N from the memory area C1 for their application incorresponding memory areas of a postage-calculating scale 13.

A postal apparatus—similar to that shown in FIG. 2—is equipped at leastwith a control system 1, a chip card write/read unit 70 and a postalsecurity module 86. Preferably, a computer which is upgradable withcorresponding inserts can be re-equipped into the postal apparatus. Theprinting then ensues with a commercially available printer.

An alternative embodiment can include a computer upgraded in theaforementioned way and a connected, specific franking printer. Theaforementioned German application 197 11 997.2, corresponding to U.S.application Ser. No. 09/041,469 discloses a suitable embodiment. Thepersonal computer would only have to be equipped with chip cardwrite/read unit 70 and a corresponding application program. For example,the insert for the modem could be used for this purpose.

The postal apparatus is equipped with a chip card write/read unit 70 forreloading change data by chip card and with a control system 1 to whicha printer 20 that is controlled by the control system 1 is connected.The first chip card 49 inserted into a plug-in slot 72 of the chip cardwrite/read unit 70 allows a reloading of a dataset CK into the postalapparatus for at least one application. The control system 1 includes amicroprocessor 91 with appertaining memories 92, 93, 94, 95. The controlsystem 1 of the postal apparatus is connected to the chip cardwriter/read unit 70 and to a postal security module 86, the postalsecurity modules 86 containing an application-specific circuit ASIC 87,a non-volatile memory 84 and a microprocessor 85. The microprocessor 85of the postal security module 86 is programmed

a) to access first and second memory areas C1 and C2 of the non-volatilememory 84 of the postal security module 86 in which the dataset CKloaded from the chip card and the dataset CK′ to be newly loaded intothe chip card are stored;

b) to apply a specific calculating operation or mask to the use data Ncontained in the loaded dataset CK in order to undertake a data removalfrom the memory area C1 with separation of the predetermined use data N′from the remaining use data N*;

c) to access the memory areas C3 and C4 of the non-volatile memory 84 ofthe postal security module 86 in which a first key K1 and third key K3and an encryption algorithm are stored protected against an unauthorizedreadout;

d) to encrypt the predetermined use data N′ with the first key K1 toform a crypto code KC and store it in the second memory area C2 and toform the new dataset CK′ using the remaining use data N*;

e) to load the new dataset CK′ that has been formed into the chip card;as well as

f) to load the use data N from the memory area C1 for their applicationinto corresponding memory areas.

The control system 1 of the postal apparatus is, for example, thecontrol system of a postage meter machine or a computer that iscorrespondingly re-configured and connected to a postage meter machine.For this reconfiguration the control system 1 of the postal apparatus isconnected to the chip card write/read unit 70 and to the postal securitymodule 86, whereby the postal security module 86 includes anapplication-specific circuit ASIC 87, a non-volatile memory 84. and amicroprocessor 85. The microprocessor 85 of the postal security module86 is programmed to access first and second memory areas C1 and C2 ofthe non-volatile memory 84 of the postal security module 86 in which thedata set CK loaded from the chip card and the dataset CK′ to be newlyloaded into the chip card is stored.

Although modifications and changes may be suggested by those skilled inthe art, it is the intention of the inventor to embody within the patentwarranted hereon all changes and modifications as reasonably andproperly come within the scope of his contribution to the art.

I claim as my invention:
 1. A method for reloading change data into apostal apparatus, said method comprising the steps of: providing anon-volatile memory in a postal apparatus; providing a chip cardwrite/read unit at said postal apparatus in communication with saidnon-volatile memory; storing use data in a first chip card of a firstchip card type; inserting said first chip card a first time into saidchip card write/read unit, recognizing said first chip card type in saidpostal apparatus and loading said use data from said first chip cardinto said non-volatile memory and storing said use data in saidnon-volatile memory; recognizing in said postal apparatus the first timeinsertion of said first chip card and producing modified data in saidpostal apparatus including said use data and an encrypted crypto codewhich identifies said first time insertion of said first chip card;writing said modified data in said first chip card in said chip cardwrite/read unit to uniquely personalize said first chip card for useonly with said postal apparatus; supplying an unpersonalized second chipcard of a second chip card type having change data stored therein forchanging said use data; after removing said first chip card from saidchip card write/read unit, inserting said second chip card in saidwrite/read unit and recognizing said second chip card type in saidpostal apparatus and loading said change data into said non-volatilememory in place of said use data and storing said change data in saidnon-volatile memory; and after removing said second chip card from saidchip card write/read unit, re-inserting said first chip card in saidchip card write/read unit, decrypting said crypto code in said postalapparatus to obtain decrypted information and analyzing said decryptedinformation in said postal apparatus to determine whether there-inserted first chip card is uniquely personalized for said postalapparatus, and upon recognition of said re-inserted first chip card asbeing personalized for said postal apparatus, reloading said use datafrom said first chip card into said non-volatile memory.
 2. A method asclaimed in claim 1 comprising the additional step of, after reloadingsaid use data from said re-inserted first chip card into saidnon-volatile memory, generating further modified data, including afurther encrypted crypto code identifying the re-insertion of said firstchip card, and writing said further modified data in said re-insertedfirst chip card in said chip card write/read unit.
 3. A method asclaimed in claim 2 comprising the steps of re-inserting and removingsaid first chip card in said chip card write/read unit a plurality oftimes and, upon each repeated insertion of said first chip card in saidchip card write/read unit, producing said further modified dataincluding an encrypted crypto code identifying a number of times saidfirst chip card has been inserted in said chip card write/read unit. 4.A method as claimed in claim 1 wherein the step of storing change datafor changing said use data in an unpersonalized second chip card of asecond chip card type comprises providing a chip card having only amemory as said second chip card of said second chip card type.
 5. Apostal apparatus comprising: a printer which prints a postal imprint ona print-receiving medium; control means, connected to said printer, forcontrolling a procedure resulting in the printing of said imprint bysaid printer, said control means including a microprocessor non-volatilememory having a first memory area, a second memory area, a third memoryarea in which a first crypto key is stored and a fourth memory area inwhich an encryption algorithm is stored, said third and fourth memoryareas being protected against unauthorized readout; a chip cardwrite/read unit connected to said control means; a chip card removablyinsertable into said chip card write/read unit, said chip card having adataset stored therein including use data; and said control means, uponinsertion of said chip card in said chip card write/read unit, accessingsaid first memory area and said second memory area of said non-volatilememory and loading said dataset from said chip card into said firstmemory area for storage in said first memory area, applying apredetermined operation on said use data in the dataset loaded into saidfirst memory area to remove predetermined use data from said use data,and leaving remaining use data, accessing said third memory area andsaid fourth memory area of said non-volatile memory to retrieve saidfirst key and said encryption algorithm, encrypting said predetermineduse data using said first key and said encryption algorithm to form acrypto code and storing said crypto code in said second memory area ofsaid non-volatile memory to form a new dataset including said remaininguse data, loading said new dataset from said second memory area intosaid chip card inserted in said chip card write/read unit, for uniquelypersonalizing said chip card for use only with one postal apparatus andloading said use data from said first memory area and employing said usedata from conducting said procedure resulting in printing of saidimprint.
 6. A postal apparatus as claimed in claim 5 further comprisinga postal security module and a postage meter machine containing saidprinter, said chip card write/read unit and said postal security module,wherein said control means comprises a control unit contained in saidpostage meter machine, connected to said chip card write/read unit andto said postal security module, and wherein said postal security modulecomprises an application-specific integrated circuit, a postal securitymodule non-volatile memory containing said first memory area and saidsecond memory area.
 7. A postal apparatus as claimed in claim 5 whereinsaid chip card comprises a first chip card of a first chip card type,said apparatus further comprising at least one second chip card of asecond chip card type, wherein said control means comprises means fordistinguishing between said first and second chip card types andcomprising means for executing at least one function, as part of saidprocedure resulting in the printing of said imprint, dependent on thechip card type, and said control means comprising means for checkingsaid use data to determine whether said use data is authorized dependenton said crypto code stored in said second memory area, means for writingsaid crypto code stored in said second memory area into said first chipcard when said first chip card is inserted in said chip card write/readunit after said use data has been loaded from said first-chip card intosaid first memory area for uniquely personalizing said first chip cardfor use only with one postal apparatus.
 8. A postal apparatus as claimedin claim 5 wherein said use data include a postage fee schedule, andwherein said postal apparatus further comprises a scale connected tosaid control means, said scale including a scale memory and apostage-calculating unit connected to said scale memory, and whereinsaid control means comprises means for loading said fee schedule intosaid scale memory for use by said postage-calculating unit.
 9. A postalapparatus comprising: a postal security module formed by an applicationspecific integrated circuit containing a first memory area and a secondmemory area; a printer which prints a postal imprint on aprint-receiving medium; a chip card/read unit; a chip card removableinsertable into said chip card write/read unit, said chip card having adata set stored thereon including use data; said postal security module,said printer and said chip card write/read unit being contained in apostage meter machine; and a computer separate from said postage metermachine, connected to said printer, said chip card write/read unit andsaid postal security module, for controlling a procedure resulting inthe printing of said imprint by said printer, said computer including amicroprocessor and a non-volatile memory having a third memory area, inwhich a first crypto key is stored and a fourth memory area in which anencryption algorithm is stored, said third and fourth memory areas beingprotected against unauthorized readout, said computer, upon insertion ofsaid chip card in said chip card write/read unit, accessing said firstmemory area and said second memory area of said postal security moduleand loading said dataset from said chip card into said first memory areafor storage in said first memory area, applying a predeterminedoperation on said use data in the dataset loaded into said first memoryarea to remove predetermined use data from said use data, and leavingremaining use data, accessing said third memory area and said fourthmemory area of said non-volatile memory to retrieve said first key andsaid encryption algorithm, encrypting said predetermined use data usingsaid first key and said encryption algorithm to form a crypto code andstoring said crypto code in said second memory area of said postalsecurity module to form a new dataset including said remaining use data,loading said new dataset from said second memory area into said chipcard inserted in said chip card write/read unit, and loading said usedata from said first memory area of said postal security module andemploying said use data from conducting said procedure resulting inprinting of said imprint.